ADSS SAM Service
The ADSS Server Signature Activation Module (SAM) Service has been carefully designed to provide high-trust Qualified Remote Signature services. It meets the requirements defined in the ETSI EN 419 241-1 standard and ETSI EN 419 241-2 Protection Profile and thus, ensures that an end-user's private signing key and Qualified Certificate can only be used under the sole control of the Signer, and only used for the intended purpose. Level 2 sole control is supported as a standard feature, interacting with the user's Go>Sign Mobile App on their smartphone. It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.
ADSS SAM Service offers a REST API over TLS v1.2 and TLS v1.3 that is called by the ADSS RAS Service. Read the ADSS RAS Service description to further understand the authorisation process.
ADSS SAM Service manages registered users and their unique signing keys. In addition, it manages the connection to the hardware security modules and manages key backup and restore.
In Qualified mode this must be an EN 419 221-5 certified HSM. Currently only the Utimaco CP5 PCIe HSM held in the ADSS SAM Appliance are supported and covered by the the CC EAL4+ certification process. In non-qualified mode a range of other HSMs are supported: